Some time back I posted an article regarding the use of ASDM Demo Mode. To briefly summarize, I highlighted two main advantages to its use:
Being able to explore the features of the ASA GUI without involving a real “live” production appliance — and —
Helping the student prepare for a certification exam by practicing the interface.
As is frequently the case these days, a student of mine this past summer pointed out a valuable feature of this demo mode worth sharing, which is the subject of this post.
Over the years in both the classroom and the customer site I had the “opportunity” to troubleshoot a Cisco security deployment. I put that word in quotes because, let’s face it, troubleshooting is done to solve problems which can be excellent learning opportunities. Two tools which frequently are chosen for this task, which are native to most Cisco devices, are: a) debug and b) syslog. This post offers my personal recommendations as when to choose one versus the other.
The official Cisco CCNP Security FIREWALL training course (as well as other documentation) recommends enabling the inspection of the Internet Control Message Protocol (ICMP), even though it’s disabled by default. The image below displays the recommended practice as configured in ASDM, but the curious student might wonder what the unchecked “ICMP Error” box is. That’s what I’ll focus on in this post.
In this post I’ll focus on a topic that’s mentioned in the Cisco FIREWALL training class but isn’t emphasized there or in the online Cisco ASA documentation. When configuring failover on a pair of ASA security appliances, a situation can arise in which network disruption occurs due to the secondary ASA in a failover pair becoming active first and then the primary comes online second. Both the documentation and the courseware point out that this causes the secondary (and active ASA) to swap its interface MAC addresses with those of the primary. Being naturally skeptical about this behavior, I decided to investigate. The rest of this post illustrates my confirmation of this phenomenon.
As promised, this post provides the second part of my experiences using the AnyConnect® 3.0 client with IKE version 2. This research was conducted using an ASA5520 with OS version 8.4(1) and ASDM version 6.4(1). Rather than illustrate a “how to” guide for a successful implementation (which is what I did in Part I), this follow-up will provide troubleshooting and research into an (as-of-yet) unsupported capability of the IKEv2 protocol.
Almost a year ago I posted a two-part series on IKE version 2 about the protocol and some fundamental implementation principles on the Cisco IOS® router. With the announcement toward the end of last year of AnyConnect® Secure Mobility Client version 3.0 along with this year’s availability of ASA OS 8.4 and 8.5, discussion of the security appliance implementation of IKEv2 is timely. Due to the volume of information, I’ll again separate this post into two parts.
A recent announcement this summer was made by Cisco Systems concerning a new ASA software release, 8.5. This post focuses on this version’s new features as well as its associated newly supported hardware. At the time of this post, there wasn’t an associated ASDM software (version 6.5(x)) available for download.
Within most of my Cisco Security classes students are given the opportunity (some for the first time!) to use packet crafting tools to probe the simulated real-world networks in the remote labs environment. This post will illustrate four of the more popular choices as well as provide examples of where they might best be used. These tools can be used both to probe for weaknesses on switches and routers by spoofing actual device-to-device protocols as well as simulation of a denial-of-service (DoS) attack.
In Part I of this series I shared the installation specifics (and challenges!) with you for CCP. This second part of the two-part series explores the actual user interface. As the Cisco Configuration Professional version 2.2 release notes point out, the demo mode of this application pre-populates the interface with three router types:
The newest Cisco training courses now use Cisco Configuration Professional instead of the older Security Device Manager product. This post highlights the features and screens of the demo version of this product. I chose the most current version 2.5. Since I find demo versions of Cisco Graphical User Interfaces especially useful for those professionals either studying for examination or practicing before using in a production mode, I will especially emphasize the installation in this first part of a two-part series.
